Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A system comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to: provision, for a subscriber account associated with a service provider network, computing resources in the service provider network to support an end service on behalf of the subscriber account; receive a first request from a client device to establish a session with the end service, the first request including a unique account identifier of a user account to access the end service; select, based at least in part on the first request and from a group of subscriber devices, a subscriber device associated with the subscriber account that manages a user directory associated with the user account; send, using a web API and to the subscriber device, a second request including the unique account identifier to provide user data associated with the user account, the user data being stored in the user directory that is accessible by the subscriber device; receive, via the web API, a response from the subscriber device that includes the user data, the user data including: authentication data to authenticate the client device; and an indication of access permissions for the user account to interact with the end service; authenticate, based at least in part on the authentication data, the client device to establish the session; receive, during the session, a third request from the client device to perform an operation associated with the end service; and perform the operation associated with the end service based at least in part on the operation being permitted by the access permissions for the user account.
This system operates in the domain of cloud-based service provisioning and user authentication, addressing the challenge of securely managing user access to end services hosted in a service provider network. The system provisions computing resources within the service provider network to support an end service on behalf of a subscriber account. When a client device initiates a session with the end service, the system receives a request containing a unique account identifier. It then selects a subscriber device associated with the subscriber account that manages a user directory linked to the user account. The system sends a request to this subscriber device via a web API, including the unique account identifier, to retrieve user data stored in the user directory. The subscriber device responds with user data, including authentication credentials and access permissions for the user account. The system authenticates the client device using the authentication data and establishes the session. During the session, if the client device submits a request to perform an operation associated with the end service, the system verifies whether the operation is permitted by the user account's access permissions before executing it. This approach centralizes user authentication and authorization, ensuring secure and controlled access to cloud-hosted services.
2. The system of claim 1 , wherein: the first request received from the client device further includes a password for the user account; the second request send to the subscriber device further includes the password; the user data included in the response further includes an indication that the password is valid for the user account; and authenticating the client device to establish the session is based at least in part on the password being valid for the user account.
A system for authenticating a client device to access user data associated with a user account, where the system receives a first request from the client device that includes a password for the user account. The system then sends a second request to a subscriber device associated with the user account, which also includes the password. Upon receiving a response from the subscriber device, the system includes an indication in the user data that the password is valid for the user account. The client device is authenticated to establish a session based at least in part on the password being confirmed as valid for the user account. This approach ensures that the client device is securely authenticated by verifying the password against the user account, leveraging the subscriber device as part of the authentication process to confirm the password's validity before granting access to the session.
3. The system of claim 1 , wherein: the system is associated with a first network of the service provider network; the subscriber device and the user directory are associated with a second network that is remote from the first network of the service provider network; and sending, using the web API, the second request to the subscriber device comprises sending the second request from the first network to the second network.
A system for managing subscriber device communications across separate network domains. The invention addresses the challenge of securely transmitting requests from a service provider's network to a subscriber device located on a remote network. The system includes a subscriber device, a user directory, and a web API. The subscriber device and user directory operate on a second network distinct from the service provider's first network. When a request is initiated, the system uses the web API to send a second request from the service provider's first network to the remote second network where the subscriber device resides. This enables cross-network communication while maintaining separation between the service provider's infrastructure and the subscriber's network. The system ensures that requests are properly routed between the two networks without requiring direct integration between them.
4. The system of claim 1 , further comprising: one or more server computing devices having one or more virtual servers, wherein authenticating the client device comprises authenticating, at least partly using the one or more virtual servers, the client device using Secure File Transfer Protocol (SFTP) authentication and a public key included in the authentication data.
The invention relates to a system for authenticating client devices using Secure File Transfer Protocol (SFTP) authentication with public key cryptography, integrated with virtual server infrastructure. The system includes one or more server computing devices hosting virtual servers that facilitate the authentication process. When a client device attempts to connect, the virtual servers verify its identity by processing authentication data containing a public key through SFTP authentication protocols. This approach leverages the security benefits of SFTP, which combines encryption and authentication mechanisms, while utilizing virtualized server environments to enhance scalability and resource efficiency. The public key included in the authentication data serves as a cryptographic credential, enabling secure and verifiable client authentication without requiring traditional password-based methods. By integrating SFTP authentication with virtual servers, the system provides a robust and flexible authentication framework suitable for distributed computing environments where secure remote access is critical. The virtual servers may handle key validation, session management, and policy enforcement, ensuring compliance with security standards while maintaining performance. This design supports multi-tenant environments, cloud deployments, or hybrid architectures where virtualized resources are dynamically allocated.
5. A computer-implemented method comprising: receiving, from a client device and at a service provider network, an authentication request to authenticate the client device for interaction with a service that is at least partly supported by computing resources of the service provider network, the authentication request including a unique account identifier for a user account associated with the service; determining a subscriber device from a group of subscriber devices that manages user data associated with the user account; sending, to a network endpoint associated with the subscriber device in a remote network, a first request including the unique account identifier to provide the user data associated with the user account, the subscriber device being associated with a subscriber account for which the computing resources are provisioned in the service provider network; receiving, from the network endpoint, a response that includes the user data associated with the user account, the user data including authentication data to authenticate the client device; authenticating, at least partly using the authentication data, the client device as being associated with the user account; receiving, from the client device, a second request to perform an operation associated with the service; and performing the operation associated with the service.
The invention relates to a computer-implemented authentication system for verifying client devices accessing a service hosted on a service provider network. The system addresses the challenge of securely authenticating a client device by leveraging a subscriber device associated with the user's account, which manages user data stored in a remote network. The process begins when the service provider network receives an authentication request from a client device, containing a unique account identifier. The system then identifies a subscriber device from a group of such devices, each linked to a subscriber account provisioned with computing resources in the service provider network. A first request, including the account identifier, is sent to a network endpoint tied to the subscriber device in the remote network to retrieve the user data, which includes authentication credentials. Upon receiving the user data, the system authenticates the client device using the embedded authentication data. Once authenticated, the system processes subsequent service-related operations requested by the client device. This approach enhances security by offloading authentication to a trusted subscriber device while maintaining seamless access to the service.
6. The computer-implemented method of claim 5 , wherein the response comprises a first response, further comprising: sending a third request for an indication of access permissions associated with the user account; and receiving a second response including the indication of the access permissions associated with the user account, wherein the operation performed is permitted by the access permissions.
This invention relates to a computer-implemented method for managing access permissions in a system. The method addresses the problem of ensuring that operations performed by a user are authorized based on their access permissions, preventing unauthorized actions. The method involves sending a third request to a system to retrieve access permissions associated with a user account. In response, a second response is received, which includes an indication of the access permissions for that user account. The system then verifies whether the operation the user is attempting to perform is permitted by the access permissions. If the operation is allowed, it proceeds; otherwise, it is blocked. This process ensures that only authorized users can perform specific operations, enhancing security and compliance in systems where access control is critical. The method integrates with existing permission management systems to dynamically check and enforce access rights before executing operations. This approach is particularly useful in environments where user roles and permissions may change frequently, requiring real-time validation to maintain security.
7. The computer-implemented method of claim 6 , wherein: the access permissions comprise first access permissions; the second response further includes one or more variables associated with a policy document that defines second access permissions associated with the user account; and the operation performed is further permitted by the second access permissions.
This invention relates to a computer-implemented method for managing access permissions in a system, particularly for determining whether a user account has the necessary permissions to perform a requested operation. The method addresses the challenge of efficiently evaluating multiple layers of access control policies to ensure secure and authorized access to resources. The method involves receiving a request to perform an operation associated with a user account and determining whether the operation is permitted by first access permissions associated with the user account. If the operation is not permitted by the first access permissions, the method retrieves one or more variables from a policy document that defines second access permissions. These second access permissions are then evaluated to determine if the operation is permitted. The operation is only executed if it is permitted by both the first and second access permissions. This approach ensures that access control decisions are made based on a comprehensive evaluation of multiple permission layers, enhancing security and reducing unauthorized access risks. The method is particularly useful in systems where fine-grained access control is required, such as cloud computing environments, enterprise applications, or multi-tenant systems.
8. The computer-implemented method of claim 6 , wherein: sending the first request includes calling a first web API associated with requests for authentication data; and sending the third request includes calling a second web API associated with requests for authorization data.
This invention relates to a computer-implemented method for handling authentication and authorization data in a system. The method addresses the problem of securely and efficiently managing user authentication and authorization processes, particularly in distributed systems where different services handle authentication and authorization separately. The method involves sending a first request to a first web API to obtain authentication data, such as credentials or tokens, required to verify a user's identity. This request is typically initiated when a user attempts to access a protected resource or service. The method then processes the authentication data to confirm the user's identity before proceeding. Subsequently, the method sends a third request to a second web API to obtain authorization data, which determines the user's permissions or access rights. This step ensures that the authenticated user is authorized to perform specific actions or access certain resources. The authorization data is then used to enforce access control policies within the system. The method may also include intermediate steps, such as validating the authentication data, generating session tokens, or logging access attempts, to enhance security and traceability. By separating the authentication and authorization processes into distinct API calls, the system improves modularity, scalability, and security. This approach is particularly useful in cloud-based or microservices architectures where different components handle authentication and authorization independently.
9. The computer-implemented method of claim 5 , wherein: the user data further includes an indication of access permissions granted to the user account for interacting with the service; and the operation performed is permitted by the access permissions for the user account.
This invention relates to a computer-implemented method for managing user interactions with a service based on access permissions. The method involves processing user data associated with a user account, where the user data includes an indication of access permissions granted to the user account for interacting with the service. The method further involves performing an operation requested by the user account, where the operation is permitted by the access permissions associated with the user account. The access permissions define the specific actions or functionalities the user is authorized to perform within the service, ensuring that only permitted operations are executed. This approach enhances security and control by restricting user actions to those explicitly allowed by their assigned permissions, preventing unauthorized access or modifications. The method may be part of a broader system for managing user accounts and service interactions, where user data is stored and accessed to verify permissions before executing any requested operation. This ensures compliance with security policies and maintains the integrity of the service.
10. The computer-implemented method of claim 5 , wherein: the authentication data includes a public key to authenticate the client device; and authenticating the client device includes authenticating the client device at least partly using a cryptographic authentication protocol and the public key.
This invention relates to secure authentication of client devices in a computing system. The problem addressed is ensuring secure and reliable authentication of client devices to prevent unauthorized access or impersonation. The method involves using cryptographic techniques to verify the identity of a client device before granting access to system resources. The authentication process includes receiving authentication data from the client device, where this data includes a public key associated with the device. The public key is used as part of a cryptographic authentication protocol to verify the client device's identity. The protocol may involve challenge-response mechanisms, digital signatures, or other cryptographic methods to confirm that the client device possesses the corresponding private key. This ensures that only authorized devices, which hold the private key, can successfully authenticate. The method may also include additional steps such as validating the public key against a trusted certificate authority or a predefined list of authorized keys. Once authentication is successful, the client device is granted access to the system or specific resources. This approach enhances security by leveraging cryptographic principles to prevent unauthorized access while maintaining efficient and scalable authentication processes. The invention is particularly useful in environments where secure device authentication is critical, such as cloud computing, IoT networks, or enterprise systems.
11. The computer-implemented method of claim 5 , further comprising: receiving, from the client device, a password associated with the user account; and sending, to the network endpoint, the password associated with the user account, wherein the authentication data includes an indication that the unique account identifier and the password are verified for the user account.
This invention relates to a computer-implemented method for secure user authentication in a networked system. The method addresses the problem of verifying user credentials while maintaining security and efficiency in authentication processes. The system involves a client device, a network endpoint, and a user account associated with a unique account identifier and a password. The method includes receiving a password from the client device and transmitting this password to the network endpoint. The authentication data sent to the network endpoint includes a verification indication confirming that both the unique account identifier and the password are valid for the user account. This ensures that the user is properly authenticated before accessing network resources. The method may also involve generating a session token upon successful authentication, which can be used for subsequent interactions without requiring repeated credential verification. The system may further include mechanisms to handle authentication failures, such as invalid credentials or expired sessions, by prompting the user to re-enter their credentials or by locking the account after multiple failed attempts. The overall approach enhances security by ensuring that only verified credentials are accepted and by minimizing exposure of sensitive information during the authentication process.
12. The computer-implemented method of claim 5 , further comprising: determining a risk event associated with at least one of the client device or the authentication request; and selecting an authentication method for the authenticating the client device based at least in part on the risk event.
This invention relates to adaptive authentication systems for client devices, addressing the problem of balancing security and user convenience in authentication processes. The method involves dynamically selecting an authentication method based on risk assessment to enhance security while minimizing user friction. The system first evaluates an authentication request from a client device, which may include analyzing device attributes, user behavior, or contextual factors. A risk event is then identified, such as suspicious activity, unusual location, or device anomalies. Based on this risk assessment, the system selects an appropriate authentication method, ranging from low-friction options like single-factor authentication for low-risk scenarios to multi-factor or step-up authentication for high-risk events. The selection process ensures that security measures are proportionate to the detected risk, improving both protection and user experience. The method may also integrate with existing authentication frameworks, allowing seamless adaptation to varying threat levels. This approach reduces the likelihood of unauthorized access while maintaining efficiency for legitimate users.
13. The computer-implemented method of claim 5 , wherein: the user data further includes first session credentials that provide access permissions to the user account for interacting with the service for a first period of time; and performing the operation associated with the service comprises performing, at least partly using the first session credentials, a first portion of the operation during the first period of time; the method further comprising: sending a third request for second session credentials that provide access permissions to the user account for a second period of time; receiving the second session credentials; and performing, at least partly using the second session credentials, a second portion of the operation during the second period of time subsequent the first period of time.
This invention relates to a computer-implemented method for managing user access to a service through session-based credentials. The problem addressed is the need to maintain continuous access to a service when session credentials expire, ensuring seamless operation without requiring user intervention. The method involves handling user data that includes first session credentials, which grant temporary access permissions to a user account for interacting with the service during a first time period. The method performs a portion of an operation associated with the service using these credentials during the first period. To extend access beyond the first period, the method sends a request for second session credentials, which provide access for a subsequent second time period. Upon receiving the second credentials, the method completes the remaining portion of the operation using these new credentials. This approach ensures uninterrupted service access by dynamically obtaining and utilizing new credentials as needed, preventing disruptions due to credential expiration. The method is particularly useful in systems where operations span longer than a single session duration, such as cloud services, APIs, or multi-step workflows.
14. The computer-implemented method of claim 5 , wherein: the authentication data includes a public key to authenticate the client device; and authenticating the client device includes authenticating, at least partly by a virtual server, the client device using Secure File Transfer Protocol (SFTP) authentication and the public key.
This invention relates to secure authentication of client devices in a computing environment, particularly for verifying device identity and establishing secure communication channels. The problem addressed is ensuring secure and reliable authentication of client devices in distributed systems, such as cloud or virtualized environments, where unauthorized access or impersonation could compromise data integrity and security. The method involves authenticating a client device using authentication data that includes a public key. The authentication process is performed at least partially by a virtual server, which verifies the client device using Secure File Transfer Protocol (SFTP) authentication in combination with the public key. SFTP is a network protocol that provides secure file transfer capabilities over a data stream, typically using SSH (Secure Shell) for encryption and authentication. By leveraging SFTP authentication alongside public key cryptography, the method ensures that only authorized devices with valid public keys can establish secure connections. The virtual server acts as an intermediary, validating the client device's identity by checking the public key against a trusted database or certificate authority. This approach enhances security by combining protocol-level authentication with cryptographic verification, reducing the risk of unauthorized access. The method is particularly useful in environments where secure file transfers or remote access are required, such as cloud computing, enterprise networks, or IoT (Internet of Things) deployments. The use of SFTP ensures encrypted communication, while the public key provides an additional layer of identity verification.
15. A system comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to: receive, from a client device, an authentication request for the client device to interact with a service that is at least partly supported by computing resources of a service provider network, the request including a unique account identifier for a user account associated with the service; determine a subscriber device from a group of subscriber devices that manages user data associated with the user account; send, to a network endpoint associated with the subscriber device in a remote network, a first request for the user data associated with the user account, the subscriber device being associated with a subscriber account for which the computing resources are provisioned in the service provider network; receive, from the network endpoint, a response that includes the user data associated with the user account, the user data including: authentication data to authenticate the client device; and an indication of access permissions for the user account to interact with the service; authenticate the client device based at least in part on the authentication data; receive, from the client device, a second request to perform an operation associated with the service; and perform the operation associated with the service based at least in part on the operation being permitted by the access permissions for the user account.
The system involves a method for authenticating and authorizing client devices to interact with a service hosted in a service provider network. The service relies on computing resources provisioned for a subscriber account, where the subscriber manages user data for multiple user accounts. When a client device requests access to the service, the system identifies a subscriber device from a group of devices that manages the relevant user data. The system then retrieves this data, including authentication credentials and access permissions, from the subscriber device via a network endpoint in a remote network. The client device is authenticated using the retrieved credentials, and subsequent requests to perform operations are evaluated against the user account's permissions. If the operation is permitted, the system executes it. This approach centralizes user data management while enabling secure, permission-based access to services in a distributed network environment. The system ensures that authentication and authorization are handled efficiently, even when the subscriber device is located in a separate network.
16. The system of claim 15 , wherein: the authentication data includes a public key to authenticate the client device; and authenticating the client device utilizing a cryptographic authentication protocol and the public key.
A system for secure device authentication in a networked environment addresses the challenge of verifying the identity of client devices to prevent unauthorized access. The system includes a server configured to receive authentication data from a client device and authenticate the device based on this data. The authentication data includes a public key, which is used in conjunction with a cryptographic authentication protocol to verify the client device's identity. The server processes the authentication data, applies the cryptographic protocol, and grants or denies access based on the validation of the public key. This ensures secure communication by confirming the client device's legitimacy before allowing network access. The system may also include additional components, such as a network interface for communication and a processor for executing authentication logic. The cryptographic protocol may involve key exchange, digital signatures, or other methods to establish trust between the server and the client device. By leveraging public-key cryptography, the system enhances security by mitigating risks associated with spoofing or unauthorized access attempts.
17. The system of claim 15 , wherein: the authentication request further includes a password associated with the user account; the first request includes the unique account identifier and the password; and the authenticating data includes an indication that the unique account identifier and the password are valid for the user account.
This invention relates to a system for authenticating user accounts, particularly in scenarios where a user requests access to a service or resource. The system addresses the problem of securely verifying user credentials to prevent unauthorized access while ensuring legitimate users can authenticate efficiently. The system includes a user device that generates an authentication request containing a unique account identifier and a password associated with the user account. The user device sends this request to an authentication server. The authentication server processes the request by validating the unique account identifier and password against stored credentials for the user account. If the credentials are valid, the server generates authenticating data indicating successful authentication, which is then transmitted back to the user device. This data confirms that the provided account identifier and password are correct for the user account, allowing the user to proceed with accessing the requested service or resource. The system ensures secure authentication by requiring both a unique account identifier and a password, reducing the risk of unauthorized access. The authentication process is streamlined by directly validating the credentials against stored data, minimizing delays while maintaining security. This approach is particularly useful in applications where quick and reliable user verification is essential, such as online services, financial transactions, or secure access systems.
18. The system of claim 15 , wherein: the access permissions comprise first access permissions; the response further includes one or more variables associated with a policy document that defines second access permissions associated with the user account; and the operation performed is further permitted by the second access permissions.
This invention relates to a system for managing access permissions in a computing environment, particularly for controlling operations based on policy documents. The system addresses the challenge of dynamically evaluating and enforcing access permissions to ensure secure and compliant operations within a distributed computing environment. The system includes a computing device that receives a request to perform an operation associated with a user account. The request includes an identifier for the user account and an identifier for the operation. The system retrieves access permissions associated with the user account and determines whether the operation is permitted by those permissions. If the operation is permitted, the system performs the operation. If not, the system may deny the request or take other actions based on predefined rules. The system also evaluates additional variables from a policy document that defines secondary access permissions for the user account. These secondary permissions further refine whether the operation is allowed. The policy document may include conditions, constraints, or other rules that must be satisfied for the operation to proceed. The system ensures that the operation complies with both the primary and secondary access permissions before execution. This approach enhances security by enforcing granular access control through multiple layers of permission checks, reducing the risk of unauthorized operations while maintaining flexibility in policy management. The system is particularly useful in cloud computing, enterprise environments, or any scenario requiring fine-grained access control.
19. The system of claim 15 , wherein sending the first request for the user data to the network endpoint comprises: calling a first web API associated with the network endpoint to provide the authentication data; and calling a second web API associated with the network endpoint to provide the indication of the access permissions.
This invention relates to a system for securely accessing user data from a network endpoint. The problem addressed is the need to efficiently and securely retrieve user data while ensuring proper authentication and authorization. The system includes a client device that sends a request for user data to a network endpoint, which may be a server or cloud service. The request includes authentication data to verify the identity of the user or client device. The system also checks access permissions to determine whether the requesting entity is authorized to retrieve the specified user data. The network endpoint processes the request, validates the authentication data, and verifies the access permissions before returning the requested user data to the client device. The system ensures secure and controlled access to user data by separating authentication and authorization into distinct steps. The client device calls a first web API to provide authentication data, such as credentials or tokens, to the network endpoint. After successful authentication, the client device calls a second web API to provide an indication of the access permissions, which may include role-based or attribute-based permissions. This two-step API approach enhances security by isolating authentication and authorization processes, reducing the risk of unauthorized access. The system is particularly useful in cloud-based or distributed computing environments where secure data access is critical.
20. The system of claim 19 , wherein: the authentication data includes a public key to authenticate the client device; and authenticating the client device includes authenticating, at least partly by a virtual server associated with the system, the client device using Secure File Transfer Protocol (SFTP) authentication and the public key.
A system for secure client device authentication in a networked environment involves verifying the identity of a client device using cryptographic methods. The system includes a virtual server that authenticates the client device by validating authentication data, which includes a public key. The authentication process leverages Secure File Transfer Protocol (SFTP) to ensure secure communication and verify the client device's identity using the provided public key. This method enhances security by ensuring that only authorized devices with valid cryptographic credentials can access the system, mitigating unauthorized access risks. The virtual server acts as an intermediary, processing the authentication request and confirming the client device's legitimacy before granting access to network resources. This approach is particularly useful in environments where secure data transfer and strict access control are required, such as cloud computing, enterprise networks, or remote access systems. The use of SFTP and public key authentication provides a robust defense against common cybersecurity threats, including man-in-the-middle attacks and credential theft. The system ensures that only devices with the correct cryptographic keys can establish a secure connection, maintaining the integrity and confidentiality of transmitted data.
Unknown
December 29, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.